One of the paces where Team Center defines how to check where the user has authority is in the ACA_USER table in the APM database. In this case the user had recently been switched from EEM with LDAP to local authentication however the row in the ACA_USER table still reflected the old realm e.f.e the column realm_id still showed LDAP (checked using select * from ACA_USER where user_id = 'Admin';)

Deleted this row and re-logged in and the entry was recreated with the realm_id set to 'Local Users and Groups'

After an EM restart the access was then restored.

Note that In this situation ATC will also uses the domains.xml file to check authority and so the user should be correctly defined there too